Detect, troubleshoot & optimize AWS environments in real-time ->

Amazon Web Service (AWS)

NAT Gateway

NAT Gateway is an Amazon Network Address Translation (NAT) service that allows you to connect instances in a private network to external services outside your VPC, while those services can’t initiate a connection to those instances.
The cost of using NAT Gateway depends on the amount of data processed through it. Basic data transfer costs for NAT Gateway start at $0.045 per GB and decrease as the amount of data processed increases. Additionally, there is an hourly charge for each NAT Gateway that is running.
Direct Cost





Indirect Cost
No items found.
Terraform Name
NAT Gateway
  • allocation_id - (Optional) The Allocation ID of the Elastic IP address for the gateway. Required for connectivity_type of public.
  • connectivity_type - (Optional) Connectivity type for the gateway. Valid values are private and public. Defaults to public.
  • subnet_id - (Required) The Subnet ID of the subnet in which to place the gateway.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Associating resources with a
NAT Gateway
Resources do not "belong" to a
NAT Gateway
Rather, one or more Security Groups are associated to a resource.
NAT Gateway
via Terraform:
The following HCL creates a public NAT gateway in the specified subnet and associates the Elastic IP address with the specified allocation ID. When you create a public NAT gateway, you must associate an Elastic IP address

resource "aws_nat_gateway" "example" {
 allocation_id =
 subnet_id     =

 tags = {
   Name = "gw NAT"

 # To ensure proper ordering, it is recommended to add an explicit dependency
 # on the Internet Gateway for the VPC.
 depends_on = [aws_internet_gateway.example]

NAT Gateway
via CLI:

[--allocation-id <value>]
[--client-token <value>]
[--dry-run | --no-dry-run]
--subnet-id <value>
[--tag-specifications <value>]
[--connectivity-type <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--endpoint-url <value>]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]


aws ec2 create-nat-gateway \
   --subnet-id subnet-0250c25a1fEXAMPLE \
   --allocation-id eipalloc-09ad461b0dEXAMPLE

Best Practices for
NAT Gateway

Categorized by Availability, Security & Compliance and Cost

Explore all the rules our platform covers
Related blog posts
All Resources